From: Richard Guy Briggs <rgb@redhat.com>
To: William Roberts <bill.c.roberts@gmail.com>
Cc: William Roberts <wroberts@tresys.com>, linux-audit@redhat.com
Subject: Re: [PATCH 2/2] audit: Enable cacheing of cmdline in audit_context
Date: Tue, 19 Nov 2013 10:40:34 -0500 [thread overview]
Message-ID: <20131119154034.GB15481@madcap2.tricolour.ca> (raw)
In-Reply-To: <1384821680-28829-3-git-send-email-wroberts@tresys.com>
On Mon, Nov 18, 2013 at 04:41:20PM -0800, William Roberts wrote:
> Not enitrely sure if this is getting us any benefit, as in my
> environment, these contexts are getting free'd immediately.
>
> Change-Id: Ia0d432bc4aba8588840f0dc0026a1e9483e5b485
> Signed-off-by: William Roberts <wroberts@tresys.com>
> ---
> kernel/auditsc.c | 48 +++++++++++++++++++++++++++++++++++++-----------
> 1 file changed, 37 insertions(+), 11 deletions(-)
>
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 45fd3d0..4b30c5d 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -270,6 +270,7 @@ struct audit_context {
> } mmap;
> };
> int fds[2];
> + unsigned long cmdline;
Would this be better declared to avoid all the casts?:
char *cmdline;
> #if AUDIT_DEBUG
> int put_count;
> @@ -1044,6 +1045,14 @@ static inline void audit_free_aux(struct audit_context *context)
> }
> }
>
> +static inline void audit_cmdline_free(struct audit_context *ctx)
> +{
> + if (!ctx->cmdline)
> + return;
> + free_page(ctx->cmdline);
> + ctx->cmdline = 0;
ctx->cmdline = NULL;
> +}
> +
> static inline void audit_zero_context(struct audit_context *context,
> enum audit_state state)
> {
> @@ -1118,6 +1127,7 @@ static inline void audit_free_context(struct audit_context *context)
> audit_free_aux(context);
> kfree(context->filterkey);
> kfree(context->sockaddr);
> + audit_cmdline_free(context);
> kfree(context);
> context = previous;
> } while (context);
> @@ -1154,35 +1164,51 @@ error_path:
>
> EXPORT_SYMBOL(audit_log_task_context);
>
> -static void audit_log_add_cmdline(struct audit_buffer *ab,
> +static unsigned long audit_cmdline_get_page(struct audit_buffer *ab,
static char* audit_cmdline_get_page(struct audit_buffer *ab,
> struct task_struct *tsk)
> {
> int len;
> unsigned long page;
> - char *msg = "(null)";
> -
> - audit_log_format(ab, " cmdline=");
>
> /* Get the process cmdline */
> page = __get_free_page(GFP_TEMPORARY);
> if (!page) {
> - audit_log_untrustedstring(ab, msg);
> - return;
> + return 0;
return NULL;
> }
> len = proc_pid_cmdline(tsk, (char *)page);
> if (len <= 0) {
> free_page(page);
> - audit_log_untrustedstring(ab, msg);
> - return;
> + return 0;
return NULL;
> }
> /*
> * Ensure NULL terminated! Application could
> * could be using setproctitle(3).
> */
> ((char *)page)[len-1] = '\0';
> - msg = (char *)page;
> +
> + /* TODO: Re-alloc to something smaller then a page here? */
> + return page;
> +}
> +
> +static void audit_log_cmdline(struct audit_buffer *ab, struct task_struct *tsk,
> + struct audit_context *context)
> +{
> + char *msg = "(null)";
> +
> + audit_log_format(ab, " cmdline=");
> +
> + /* Already cached */
> + if (context->cmdline) {
> + msg = (char *)context->cmdline;
msg = context->cmdline;
> + goto out;
> + }
> + /* Not cached yet */
> + context->cmdline = audit_cmdline_get_page(ab, tsk);
> + if (!context->cmdline)
> + goto out;
> + msg = (char *)context->cmdline;
msg = context->cmdline;
> +out:
> audit_log_untrustedstring(ab, msg);
> - free_page(page);
> }
>
> static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
> @@ -1211,7 +1237,6 @@ static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk
> }
> up_read(&mm->mmap_sem);
> }
> - audit_log_add_cmdline(ab, tsk);
> audit_log_task_context(ab);
> }
>
> @@ -1679,6 +1704,7 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
>
>
> audit_log_task_info(ab, tsk);
> + audit_log_cmdline(ab, tsk, context);
> audit_log_key(ab, context->filterkey);
> audit_log_end(ab);
>
> --
> 1.7.9.5
>
- RGB
--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
next prev parent reply other threads:[~2013-11-19 15:40 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-19 0:41 [PATCH v3.4] - audit cmdline on events William Roberts
2013-11-19 0:41 ` [PATCH 1/2] audit: Allow auditing of proc/self/cmdline value William Roberts
2013-11-19 14:11 ` Richard Guy Briggs
2013-11-19 0:41 ` [PATCH 2/2] audit: Enable cacheing of cmdline in audit_context William Roberts
2013-11-19 15:40 ` Richard Guy Briggs [this message]
2013-11-19 15:44 ` William Roberts
2013-11-19 16:00 ` Richard Guy Briggs
2013-11-19 16:25 ` William Roberts
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131119154034.GB15481@madcap2.tricolour.ca \
--to=rgb@redhat.com \
--cc=bill.c.roberts@gmail.com \
--cc=linux-audit@redhat.com \
--cc=wroberts@tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox